A Thing
The Green SheetGreen Sheet

Wednesday, October 15, 2014

Lessons from the JPMorgan breach

The evolution of the recent JPMorgan Chase & Co. data breach that compromised tens of millions of customer details raises more questions than answers. As a follow-up to the news story posted online on Oct. 10, The Green Sheet asked the data security experts quoted in that article for their opinions on what can be done to bolster the data security infrastructure, given the increasing frequency and sophistication of cyberattacks.

The Green Sheet: It seems like the current defensive strategies are not working well enough, since the number and size of breaches seems to be growing. So what is the solution?

Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks: It’s significant to see that the attackers who broke in and stole some customer data from JPMC have been detected on the networks of other major payment companies. That said, there’s no public information yet to indicate these other locations suffered breaches – it’s quite likely that most suffered only some unwanted reconnaissance.

Attackers have an important capability, thanks to the way the Internet works: they can "twist doorknobs" on a global scale, using quite basic automation tools. That is, given one concept for a possible exploit, they can rapidly search across the attack surface of many organizations, to see if the technique causes any doors to spring open. In many cases, attackers don’t even need to look for specific targets – they can simply start searching widely, and see what pops up in their dragnet. The fact that many organizations can see the "doorknob twisting" coming from specific locations is just an illustration of the ease with which attackers can move laterally, from target to target, exploiting any weak points found. "The necessary response for defenders is to automate the mapping, assessment, and reduction of the attack surface of the organization. No business today can have zero attackable surface – if you interact with customers, then bad actors can find a way to exploit that. But each increase in attack surface is an increase in risk, and one more door that might accidentally be left unlocked. Attackers have no difficulty searching exhaustively for weak points; defenders need to do the same, starting by mapping out and assessing their total network attack surface."

Michele Borovac, Vice President at HyTrust: Companies must assume that attackers are already inside their networks. Like the military, security best practices always incorporate "defense in depth." To both prevent and curtail these kinds of attacks, organizations need to take a look at where their sensitive data resides, and secure it from the inside out. As recent attacks have proven, administrator accounts are ripe targets, and organizations that have virtualized their data centers should pay careful attention to virtualization admins. These accounts typically have very broad powers with little controls in place to track what they can and can’t do. To build defense in depth:

  1. Implement two factor authentication for all admins: Even if a hacker gets a username/password for an admin through phishing or accessing credentials through an authorized third party, they will not be able to access admin accounts without the secondary token.
  2. Automate authorization: Put controls in place that ensure admins can only manage what they need to, and automate workflows for secondary approval for any sensitive operations.
  3. Encrypt your data: Encryption is the best way to ensure data is only accessible to those authorized to see it. Just make sure your system supports policy-based, enterprise ready key management – you don’t want to protect all your data with a weak password.

Martin Walter, Senior Director at RedSeal Networks: Network segmentation seems to be the holy grail of the industry to counter the majority of these sophisticated attacks. Though segmenting these networks effectively remains a dream, without automated systems that support the design of a segmented network and proper access policy validation.

Business struggle to keep up with business needs and keeping their IT agile to serve the business. With that the network is so dynamic – and has to be – that a major re-architecture such as network segmentation puts a lot of risk on the business if not properly planned. Not even mentioning the different influences and influencers who architected the network in the first place and moved on (i.e. "too many architects spoiled your network"). Proper planning is only possible if you truly understand every aspect of your network, from routing to single ACLs [access control lists] allowing exactly one business application to talk to another. Without automated applications that give you this visibility and intelligence, from big picture down to individual ACLs, enterprise will never be able to perform this type of re-architecture without putting significant risk on the business processes the network needs to support. Hence, if you try to just "figure it out yourself," network segmentation will remain a dream as it will never be successful.

GS: Given the sophistication of the attack vector(s) that fraudsters employ today, how much confidence do you have in JPMorgan's claim that the hack did not include the compromise of customers' financial credentials, like credit card and Social Security numbers?

Adam Kujawa, Head of Malware Intelligence, Malwarebytes Labs (the research arm of Malwarebytes): There is honestly no reason for a company to lie about something like that unless they are going to withhold the entire truth. If the attackers were able to grab more than just the personally identifiable information that they got (i.e. credit cards, Social Security numbers, etc.) then it would only be a matter of time before JPMC customers would start seeing things like purchases they didn’t make or other identify theft type activities. At which time, they could point the finger at JPMC who told them previously that only names, addresses, e-mails, and phone numbers were stolen and call them out on their lie. Sophistication of attacks aside, the organizations that we put faith in when it comes to our personal information and finances do employ at least some security measures, in order to keep the easy attacks out and hopefully prevent serious attacks. JPMC most likely has far greater security on the servers containing credit card and Social Security numbers than they do on their basic customer interface or whichever system the attackers were able to extract the data from. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing